@pulumi/gcp
Version:
A Pulumi package for creating and managing Google Cloud Platform resources.
961 lines (960 loc) • 94 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
* Manages a Google Kubernetes Engine (GKE) cluster.
*
* To get more information about GKE clusters, see:
* * [The API reference](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters)
* * How-to guides
* * [GKE overview](https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview)
* * [About cluster configuration choices](https://cloud.google.com/kubernetes-engine/docs/concepts/types-of-clusters)
*
* > On version 5.0.0+ of the provider, you must explicitly set `deletionProtection = false`
* and run `pulumi up` to write the field to state in order to destroy a cluster.
*
* > All arguments and attributes (including certificate outputs) will be stored in the raw state as
* plaintext. Read more about sensitive data in state.
*
* ## Example Usage
*
* ### With A Separately Managed Node Pool (Recommended)
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const _default = new gcp.serviceaccount.Account("default", {
* accountId: "service-account-id",
* displayName: "Service Account",
* });
* const primary = new gcp.container.Cluster("primary", {
* name: "my-gke-cluster",
* location: "us-central1",
* removeDefaultNodePool: true,
* initialNodeCount: 1,
* });
* const primaryPreemptibleNodes = new gcp.container.NodePool("primary_preemptible_nodes", {
* name: "my-node-pool",
* location: "us-central1",
* cluster: primary.name,
* nodeCount: 1,
* nodeConfig: {
* preemptible: true,
* machineType: "e2-medium",
* serviceAccount: _default.email,
* oauthScopes: ["https://www.googleapis.com/auth/cloud-platform"],
* },
* });
* ```
*
* > **Note:** It is recommended that node pools be created and managed as separate resources as in the example above.
* This allows node pools to be added and removed without recreating the cluster. Node pools defined directly in the
* `gcp.container.Cluster` resource cannot be removed without re-creating the cluster.
*
* ### With The Default Node Pool
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const _default = new gcp.serviceaccount.Account("default", {
* accountId: "service-account-id",
* displayName: "Service Account",
* });
* const primary = new gcp.container.Cluster("primary", {
* name: "marcellus-wallace",
* location: "us-central1-a",
* initialNodeCount: 3,
* nodeConfig: {
* serviceAccount: _default.email,
* oauthScopes: ["https://www.googleapis.com/auth/cloud-platform"],
* labels: {
* foo: "bar",
* },
* tags: [
* "foo",
* "bar",
* ],
* },
* });
* ```
*
* ### Autopilot
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const _default = new gcp.serviceaccount.Account("default", {
* accountId: "service-account-id",
* displayName: "Service Account",
* });
* const primary = new gcp.container.Cluster("primary", {
* name: "marcellus-wallace",
* location: "us-central1-a",
* enableAutopilot: true,
* });
* ```
*
* ## Import
*
* GKE clusters can be imported using the `project` , `location`, and `name`. If the project is omitted, the default
* provider value will be used. Examples:
*
* * `projects/{{project_id}}/locations/{{location}}/clusters/{{cluster_id}}`
* * `{{project_id}}/{{location}}/{{cluster_id}}`
* * `{{location}}/{{cluster_id}}`
*
* When using the `pulumi import` command, GKE clusters can be imported using one of the formats above. For example:
*
* ```sh
* $ pulumi import gcp:container/cluster:Cluster default projects/{{project_id}}/locations/{{location}}/clusters/{{cluster_id}}
*
* $ pulumi import gcp:container/cluster:Cluster default {{project_id}}/{{location}}/{{cluster_id}}
*
* $ pulumi import gcp:container/cluster:Cluster default {{location}}/{{cluster_id}}
* ```
*
* > **Note:** This resource has several fields that control Terraform-specific behavior and aren't present in the API. If they are set in config and you import a cluster, Terraform may need to perform an update immediately after import. Most of these updates should be no-ops but some may modify your cluster if the imported state differs.
*
* For example, the following fields will show diffs if set in config:
*
* - `minMasterVersion`
* - `removeDefaultNodePool`
*/
export declare class Cluster extends pulumi.CustomResource {
/**
* Get an existing Cluster resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ClusterState, opts?: pulumi.CustomResourceOptions): Cluster;
/**
* Returns true if the given object is an instance of Cluster. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is Cluster;
/**
* The configuration for addons supported by GKE.
* Structure is documented below.
*/
readonly addonsConfig: pulumi.Output<outputs.container.ClusterAddonsConfig>;
/**
* Enable NET_ADMIN for the cluster. Defaults to
* `false`. This field should only be enabled for Autopilot clusters (`enableAutopilot`
* set to `true`).
*/
readonly allowNetAdmin: pulumi.Output<boolean | undefined>;
/**
* Configuration for [anonymous authentication restrictions](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict-anon-access). Structure is documented below.
*/
readonly anonymousAuthenticationConfig: pulumi.Output<outputs.container.ClusterAnonymousAuthenticationConfig>;
/**
* Configuration for the
* [Google Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#groups-setup-gsuite) feature.
* Structure is documented below.
*/
readonly authenticatorGroupsConfig: pulumi.Output<outputs.container.ClusterAuthenticatorGroupsConfig>;
/**
* Per-cluster configuration of Autopilot cluster policies in GKE clusters. This field can only be configured in non Autopilot clusters. Structure is documented below.
*/
readonly autopilotClusterPolicyConfig: pulumi.Output<outputs.container.ClusterAutopilotClusterPolicyConfig>;
/**
* The customer
* allowlist Cloud Storage paths for the cluster. These paths are used with the
* `--autopilot-privileged-admission` flag to authorize privileged workloads in
* Autopilot clusters. See the Cluster API's
* [PrivilegedAdmissionConfig](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#privilegedadmissionconfig)
* documentation for more details.
*/
readonly autopilotPrivilegedAdmissions: pulumi.Output<string[]>;
/**
* Configuration options for the Binary
* Authorization feature. Structure is documented below.
*/
readonly binaryAuthorization: pulumi.Output<outputs.container.ClusterBinaryAuthorization | undefined>;
/**
* Per-cluster configuration of Node Auto-Provisioning with Cluster Autoscaler to
* automatically adjust the size of the cluster and create/delete node pools based
* on the current needs of the cluster's workload. See the
* [guide to using Node Auto-Provisioning](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning)
* for more details. Structure is documented below.
*/
readonly clusterAutoscaling: pulumi.Output<outputs.container.ClusterClusterAutoscaling>;
/**
* The IP address range of the Kubernetes pods
* in this cluster in CIDR notation (e.g. `10.96.0.0/14`). Leave blank to have one
* automatically chosen or specify a `/14` block in `10.0.0.0/8`. This field will
* default a new cluster to routes-based, where `ipAllocationPolicy` is not defined.
*/
readonly clusterIpv4Cidr: pulumi.Output<string>;
/**
* ) Configuration for
* [ClusterTelemetry](https://cloud.google.com/monitoring/kubernetes-engine/installing#controlling_the_collection_of_application_logs) feature,
* Structure is documented below.
*/
readonly clusterTelemetry: pulumi.Output<outputs.container.ClusterClusterTelemetry>;
/**
* Configuration for [Confidential Nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes) feature. Structure is documented below documented below.
*/
readonly confidentialNodes: pulumi.Output<outputs.container.ClusterConfidentialNodes>;
/**
* Configuration for all of the cluster's control plane endpoints.
* Structure is documented below.
*/
readonly controlPlaneEndpointsConfig: pulumi.Output<outputs.container.ClusterControlPlaneEndpointsConfig>;
/**
* Configuration for the
* [Cost Allocation](https://cloud.google.com/kubernetes-engine/docs/how-to/cost-allocations) feature.
* Structure is documented below.
*/
readonly costManagementConfig: pulumi.Output<outputs.container.ClusterCostManagementConfig>;
/**
* Structure is documented below.
*/
readonly databaseEncryption: pulumi.Output<outputs.container.ClusterDatabaseEncryption>;
/**
* The desired datapath provider for this cluster. This is set to `LEGACY_DATAPATH` by default, which uses the IPTables-based kube-proxy implementation. Set to `ADVANCED_DATAPATH` to enable Dataplane v2.
*/
readonly datapathProvider: pulumi.Output<string>;
/**
* The default maximum number of pods
* per node in this cluster. This doesn't work on "routes-based" clusters, clusters
* that don't have IP Aliasing enabled. See the [official documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr)
* for more information.
*/
readonly defaultMaxPodsPerNode: pulumi.Output<number>;
/**
* [GKE SNAT](https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_works) DefaultSnatStatus contains the desired state of whether default sNAT should be disabled on the cluster, [API doc](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#networkconfig). Structure is documented below
*/
readonly defaultSnatStatus: pulumi.Output<outputs.container.ClusterDefaultSnatStatus>;
/**
* (Optional) Whether Terraform will be prevented from destroying the resource. Defaults to "DELETE".
* When a 'terraform destroy' or 'pulumi up' would delete the resource,
* the command will fail if this field is set to "PREVENT" in Terraform state.
* When set to "ABANDON", the command will remove the resource from Terraform
* management without updating or deleting the resource in the API.
* When set to "DELETE", deleting the resource is allowed.
*
* <a name="nestedDefaultSnatStatus"></a>The `defaultSnatStatus` block supports
*/
readonly deletionPolicy: pulumi.Output<string>;
/**
* Whether Terraform will be prevented from
* destroying the cluster. Deleting this cluster via `terraform destroy` or
* `pulumi up` will only succeed if this field is `false` in the Terraform
* state.
*/
readonly deletionProtection: pulumi.Output<boolean | undefined>;
/**
* Description of the cluster.
*/
readonly description: pulumi.Output<string | undefined>;
/**
* Disable L4 load balancer VPC firewalls to enable firewall policies.
*/
readonly disableL4LbFirewallReconciliation: pulumi.Output<boolean | undefined>;
/**
* Configuration for [Using Cloud DNS for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns). Structure is documented below.
*/
readonly dnsConfig: pulumi.Output<outputs.container.ClusterDnsConfig | undefined>;
/**
* All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
*/
readonly effectiveLabels: pulumi.Output<{
[key: string]: string;
}>;
/**
* Enable Autopilot for this cluster. Defaults to `false`.
* Note that when this option is enabled, certain features of Standard GKE are not available.
* See the [official documentation](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#comparison)
* for available features.
*/
readonly enableAutopilot: pulumi.Output<boolean | undefined>;
/**
* Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false.
*/
readonly enableCiliumClusterwideNetworkPolicy: pulumi.Output<boolean | undefined>;
/**
* Whether FQDN Network Policy is enabled on this cluster. Users who enable this feature for existing Standard clusters must restart the GKE Dataplane V2 `anetd` DaemonSet after enabling it. See the [Enable FQDN Network Policy in an existing cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/fqdn-network-policies#enable_fqdn_network_policy_in_an_existing_cluster) for more information.
*/
readonly enableFqdnNetworkPolicy: pulumi.Output<boolean | undefined>;
/**
* Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network.
*/
readonly enableIntranodeVisibility: pulumi.Output<boolean>;
/**
* Configuration for Kubernetes Beta APIs.
* Structure is documented below.
*/
readonly enableK8sBetaApis: pulumi.Output<outputs.container.ClusterEnableK8sBetaApis | undefined>;
/**
* Whether to enable Kubernetes Alpha features for
* this cluster. Note that when this option is enabled, the cluster cannot be upgraded
* and will be automatically deleted after 30 days.
*/
readonly enableKubernetesAlpha: pulumi.Output<boolean | undefined>;
/**
* Whether L4ILB Subsetting is enabled for this cluster.
*/
readonly enableL4IlbSubsetting: pulumi.Output<boolean>;
/**
* Whether the ABAC authorizer is enabled for this cluster.
* When enabled, identities in the system, including service accounts, nodes, and controllers,
* will have statically granted permissions beyond those provided by the RBAC configuration or IAM.
* Defaults to `false`
*/
readonly enableLegacyAbac: pulumi.Output<boolean | undefined>;
/**
* Whether multi-networking is enabled for this cluster.
*/
readonly enableMultiNetworking: pulumi.Output<boolean | undefined>;
/**
* Enable Shielded Nodes features on all nodes in this cluster. Defaults to `true`.
*/
readonly enableShieldedNodes: pulumi.Output<boolean | undefined>;
/**
* Whether to enable Cloud TPU resources in this cluster.
* See the [official documentation](https://cloud.google.com/tpu/docs/kubernetes-engine-setup).
*/
readonly enableTpu: pulumi.Output<boolean>;
/**
* The IP address of this cluster's Kubernetes master.
*/
readonly endpoint: pulumi.Output<string>;
/**
* (DEPRECATED) Configuration for [Enterprise edition].(https://cloud.google.com/kubernetes-engine/enterprise/docs/concepts/gke-editions). Structure is documented below. Deprecated as GKE Enterprise features are now available without an Enterprise tier. See https://cloud.google.com/blog/products/containers-kubernetes/gke-gets-new-pricing-and-capabilities-on-10th-birthday for the announcement of this change.
*
* @deprecated GKE Enterprise features are now available without an Enterprise tier. This field is deprecated and will be removed in a future major release
*/
readonly enterpriseConfig: pulumi.Output<outputs.container.ClusterEnterpriseConfig>;
/**
* Fleet configuration for the cluster. Structure is documented below.
*/
readonly fleet: pulumi.Output<outputs.container.ClusterFleet | undefined>;
/**
* Configuration for [GKE Gateway API controller](https://cloud.google.com/kubernetes-engine/docs/concepts/gateway-api). Structure is documented below.
*/
readonly gatewayApiConfig: pulumi.Output<outputs.container.ClusterGatewayApiConfig>;
/**
* Configuration options for the auto-upgrade patch type feature, which provide more control over the speed of automatic upgrades of your GKE clusters.
* Structure is documented below.
*/
readonly gkeAutoUpgradeConfig: pulumi.Output<outputs.container.ClusterGkeAutoUpgradeConfig>;
/**
* . Structure is documented below.
*/
readonly identityServiceConfig: pulumi.Output<outputs.container.ClusterIdentityServiceConfig>;
/**
* Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`.
*/
readonly inTransitEncryptionConfig: pulumi.Output<string | undefined>;
/**
* The number of nodes to create in this
* cluster's default node pool. In regional or multi-zonal clusters, this is the
* number of nodes per zone. Must be set if `nodePool` is not set. If you're using
* `gcp.container.NodePool` objects with no default node pool, you'll need to
* set this to a value of at least `1`, alongside setting
* `removeDefaultNodePool` to `true`.
*/
readonly initialNodeCount: pulumi.Output<number | undefined>;
/**
* Configuration of cluster IP allocation for
* VPC-native clusters. If this block is unset during creation, it will be set by the GKE backend.
* Structure is documented below.
*/
readonly ipAllocationPolicy: pulumi.Output<outputs.container.ClusterIpAllocationPolicy>;
/**
* The fingerprint of the set of labels for this cluster.
*/
readonly labelFingerprint: pulumi.Output<string>;
/**
* The location (region or zone) in which the cluster
* master will be created, as well as the default node location. If you specify a
* zone (such as `us-central1-a`), the cluster will be a zonal cluster with a
* single cluster master. If you specify a region (such as `us-west1`), the
* cluster will be a regional cluster with multiple masters spread across zones in
* the region, and with default node locations in those zones as well
*/
readonly location: pulumi.Output<string>;
/**
* Logging configuration for the cluster.
* Structure is documented below.
*/
readonly loggingConfig: pulumi.Output<outputs.container.ClusterLoggingConfig>;
/**
* The logging service that the cluster should
* write logs to. Available options include `logging.googleapis.com`(Legacy Stackdriver),
* `logging.googleapis.com/kubernetes`(Stackdriver Kubernetes Engine Logging), and `none`. Defaults to `logging.googleapis.com/kubernetes`
*/
readonly loggingService: pulumi.Output<string>;
/**
* The maintenance policy to use for the cluster. Structure is
* documented below.
*/
readonly maintenancePolicy: pulumi.Output<outputs.container.ClusterMaintenancePolicy | undefined>;
/**
* ) Configuration for the [GKE Managed ML Diagnostics](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/TODO) feature. Structure is documented below.
*/
readonly managedMachineLearningDiagnosticsConfig: pulumi.Output<outputs.container.ClusterManagedMachineLearningDiagnosticsConfig>;
/**
* ) Configuration for the [GKE Managed OpenTelemetry](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/managed-otel-gke) feature. Structure is documented below.
*/
readonly managedOpentelemetryConfig: pulumi.Output<outputs.container.ClusterManagedOpentelemetryConfig>;
/**
* The authentication information for accessing the
* Kubernetes master. Some values in this block are only returned by the API if
* your service account has permission to get credentials for your GKE cluster. If
* you see an unexpected diff unsetting your client cert, ensure you have the
* `container.clusters.getCredentials` permission.
* Structure is documented below.
*/
readonly masterAuth: pulumi.Output<outputs.container.ClusterMasterAuth>;
/**
* The desired
* configuration options for master authorized networks. Omit the
* nested `cidrBlocks` attribute to disallow external access (except
* the cluster node IPs, which GKE automatically whitelists).
* Structure is documented below.
*/
readonly masterAuthorizedNetworksConfig: pulumi.Output<outputs.container.ClusterMasterAuthorizedNetworksConfig>;
/**
* The current version of the master in the cluster. This may
* be different than the `minMasterVersion` set in the config if the master
* has been updated by GKE.
*/
readonly masterVersion: pulumi.Output<string>;
/**
* Structure is documented below.
*/
readonly meshCertificates: pulumi.Output<outputs.container.ClusterMeshCertificates>;
/**
* The minimum version of the master. GKE
* will auto-update the master to new versions, so this does not guarantee the
* current master version--use the read-only `masterVersion` field to obtain that.
* If unset, the cluster's version will be set by GKE to the version of the most recent
* official release (which is not necessarily the latest version). Most users will find
* the `gcp.container.getEngineVersions` data source useful - it indicates which versions
* are available. If you intend to specify versions manually,
* [the docs](https://cloud.google.com/kubernetes-engine/versioning-and-upgrades#specifying_cluster_version)
* describe the various acceptable formats for this field.
*
* > If you are using the `gcp.container.getEngineVersions` datasource with a regional cluster, ensure that you have provided a `location`
* to the datasource. A region can have a different set of supported versions than its corresponding zones, and not all zones in a
* region are guaranteed to support the same version.
*/
readonly minMasterVersion: pulumi.Output<string | undefined>;
/**
* Monitoring configuration for the cluster.
* Structure is documented below.
*/
readonly monitoringConfig: pulumi.Output<outputs.container.ClusterMonitoringConfig>;
/**
* The monitoring service that the cluster
* should write metrics to.
* Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API.
* VM metrics will be collected by Google Compute Engine regardless of this setting
* Available options include
* `monitoring.googleapis.com`(Legacy Stackdriver), `monitoring.googleapis.com/kubernetes`(Stackdriver Kubernetes Engine Monitoring), and `none`.
* Defaults to `monitoring.googleapis.com/kubernetes`
*/
readonly monitoringService: pulumi.Output<string>;
/**
* The name of the cluster, unique within the project and
* location.
*
* - - -
*/
readonly name: pulumi.Output<string>;
/**
* The name or selfLink of the Google Compute Engine
* network to which the cluster is connected. For Shared VPC, set this to the self link of the
* shared network.
*/
readonly network: pulumi.Output<string | undefined>;
/**
* Network bandwidth tier configuration.
*/
readonly networkPerformanceConfig: pulumi.Output<outputs.container.ClusterNetworkPerformanceConfig | undefined>;
/**
* Configuration options for the
* [NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/networkpolicies/)
* feature. Structure is documented below.
*/
readonly networkPolicy: pulumi.Output<outputs.container.ClusterNetworkPolicy | undefined>;
/**
* Determines whether alias IPs or routes will be used for pod IPs in the cluster.
* Options are `VPC_NATIVE` or `ROUTES`. `VPC_NATIVE` enables [IP aliasing](https://cloud.google.com/kubernetes-engine/docs/how-to/ip-aliases). Newly created clusters will default to `VPC_NATIVE`.
*/
readonly networkingMode: pulumi.Output<string>;
/**
* Parameters used in creating the default node pool.
* Generally, this field should not be used at the same time as a
* `gcp.container.NodePool` or a `nodePool` block; this configuration
* manages the default node pool, which isn't recommended to be used.
* Structure is documented below.
*/
readonly nodeConfig: pulumi.Output<outputs.container.ClusterNodeConfig>;
/**
* The list of zones in which the cluster's nodes
* are located. Nodes must be in the region of their regional cluster or in the
* same region as their cluster's zone for zonal clusters. If this is specified for
* a zonal cluster, omit the cluster's zone.
*
* > A "multi-zonal" cluster is a zonal cluster with at least one additional zone
* defined; in a multi-zonal cluster, the cluster master is only present in a
* single zone while nodes are present in each of the primary zone and the node
* locations. In contrast, in a regional cluster, cluster master nodes are present
* in multiple zones in the region. For that reason, regional clusters should be
* preferred.
*/
readonly nodeLocations: pulumi.Output<string[]>;
/**
* Node pool configs that apply to auto-provisioned node pools in
* [autopilot](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#comparison) clusters and
* [node auto-provisioning](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning)-enabled clusters. Structure is documented below.
*/
readonly nodePoolAutoConfig: pulumi.Output<outputs.container.ClusterNodePoolAutoConfig>;
/**
* Default NodePool settings for the entire cluster. These settings are overridden if specified on the specific NodePool object. Structure is documented below.
*/
readonly nodePoolDefaults: pulumi.Output<outputs.container.ClusterNodePoolDefaults>;
/**
* List of node pools associated with this cluster.
* See gcp.container.NodePool for schema.
* **Warning:** node pools defined inside a cluster can't be changed (or added/removed) after
* cluster creation without deleting and recreating the entire cluster. Unless you absolutely need the ability
* to say "these are the _only_ node pools associated with this cluster", use the
* gcp.container.NodePool resource instead of this property.
*/
readonly nodePools: pulumi.Output<outputs.container.ClusterNodePool[]>;
/**
* The Kubernetes version on the nodes. Must either be unset
* or set to the same value as `minMasterVersion` on create. Defaults to the default
* version set by GKE which is not necessarily the latest version. This only affects
* nodes in the default node pool. While a fuzzy version can be specified, it's
* recommended that you specify explicit versions as the provider will see spurious diffs
* when fuzzy versions are used. See the `gcp.container.getEngineVersions` data source's
* `versionPrefix` field to approximate fuzzy versions.
* To update nodes in other node pools, use the `version` attribute on the node pool.
*/
readonly nodeVersion: pulumi.Output<string>;
/**
* Configuration for the [cluster upgrade notifications](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-upgrade-notifications) feature. Structure is documented below.
*/
readonly notificationConfig: pulumi.Output<outputs.container.ClusterNotificationConfig>;
readonly operation: pulumi.Output<string>;
/**
* Configuration for the
* Structure is documented below.
*/
readonly podAutoscaling: pulumi.Output<outputs.container.ClusterPodAutoscaling>;
/**
* ) Configuration for the
* [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature.
* Structure is documented below.
*/
readonly podSecurityPolicyConfig: pulumi.Output<outputs.container.ClusterPodSecurityPolicyConfig | undefined>;
/**
* Configuration for [private clusters](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters),
* clusters with private nodes. Structure is documented below.
*/
readonly privateClusterConfig: pulumi.Output<outputs.container.ClusterPrivateClusterConfig>;
/**
* The desired state of IPv6 connectivity to Google Services. By default, no private IPv6 access to or from Google Services (all access will be via IPv4).
*/
readonly privateIpv6GoogleAccess: pulumi.Output<string>;
/**
* The ID of the project in which the resource belongs. If it
* is not provided, the provider project is used.
*/
readonly project: pulumi.Output<string>;
/**
* )
* Enable/Disable Protect API features for the cluster. Structure is documented below.
*/
readonly protectConfig: pulumi.Output<outputs.container.ClusterProtectConfig>;
/**
* The combination of labels configured directly on the resource and default labels configured on the provider.
*/
readonly pulumiLabels: pulumi.Output<{
[key: string]: string;
}>;
/**
* RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. Structure is documented below.
*/
readonly rbacBindingConfig: pulumi.Output<outputs.container.ClusterRbacBindingConfig>;
/**
* Configuration options for the [Release channel](https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels)
* feature, which provide more control over automatic upgrades of your GKE clusters.
* When updating this field, GKE imposes specific version requirements. See
* [Selecting a new release channel](https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels#selecting_a_new_release_channel)
* for more details; the `gcp.container.getEngineVersions` datasource can provide
* the default version for a channel. Note that removing the `releaseChannel`
* field from your config will cause the provider to stop managing your cluster's
* release channel, but will not unenroll it. Instead, use the `"UNSPECIFIED"`
* channel. Structure is documented below.
*/
readonly releaseChannel: pulumi.Output<outputs.container.ClusterReleaseChannel>;
/**
* If `true`, deletes the default node
* pool upon cluster creation. If you're using `gcp.container.NodePool`
* resources with no default node pool, this should be set to `true`, alongside
* setting `initialNodeCount` to at least `1`.
*/
readonly removeDefaultNodePool: pulumi.Output<boolean | undefined>;
/**
* The GCE resource labels (a map of key/value pairs) to be applied to the cluster.
*
* **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
* Please refer to the field 'effective_labels' for all of the labels present on the resource.
*/
readonly resourceLabels: pulumi.Output<{
[key: string]: string;
} | undefined>;
/**
* Configuration for the
* [ResourceUsageExportConfig](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering) feature.
* Structure is documented below.
*/
readonly resourceUsageExportConfig: pulumi.Output<outputs.container.ClusterResourceUsageExportConfig | undefined>;
/**
* Configuration for the
* [SecretManagerConfig](https://cloud.google.com/secret-manager/docs/secret-manager-managed-csi-component) feature.
* Structure is documented below.
*/
readonly secretManagerConfig: pulumi.Output<outputs.container.ClusterSecretManagerConfig | undefined>;
/**
* Configuration for the
* [SecretSyncConfig](https://cloud.google.com/secret-manager/docs/sync-k8-secrets) feature.
* Structure is documented below.
*/
readonly secretSyncConfig: pulumi.Output<outputs.container.ClusterSecretSyncConfig | undefined>;
/**
* Enable/Disable Security Posture API features for the cluster. Structure is documented below.
*/
readonly securityPostureConfig: pulumi.Output<outputs.container.ClusterSecurityPostureConfig>;
/**
* The server-defined URL for the resource.
*/
readonly selfLink: pulumi.Output<string>;
/**
* Structure is documented below.
*/
readonly serviceExternalIpsConfig: pulumi.Output<outputs.container.ClusterServiceExternalIpsConfig>;
/**
* The IP address range of the Kubernetes services in this
* cluster, in [CIDR](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
* notation (e.g. `1.2.3.4/29`). Service addresses are typically put in the last
* `/16` from the container CIDR.
*/
readonly servicesIpv4Cidr: pulumi.Output<string>;
/**
* The name or selfLink of the Google Compute Engine
* subnetwork in which the cluster's instances are launched.
*/
readonly subnetwork: pulumi.Output<string>;
/**
* TPU configuration for the cluster.
*/
readonly tpuConfig: pulumi.Output<outputs.container.ClusterTpuConfig>;
/**
* The IP address range of the Cloud TPUs in this cluster, in
* [CIDR](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
* notation (e.g. `1.2.3.4/29`).
*/
readonly tpuIpv4CidrBlock: pulumi.Output<string>;
/**
* The custom keys configuration of the cluster Structure is documented below.
*/
readonly userManagedKeysConfig: pulumi.Output<outputs.container.ClusterUserManagedKeysConfig | undefined>;
/**
* Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it.
* Structure is documented below.
*/
readonly verticalPodAutoscaling: pulumi.Output<outputs.container.ClusterVerticalPodAutoscaling>;
/**
* )
* Configuration for [direct-path (via ALTS) with workload identity.](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#workloadaltsconfig). Structure is documented below.
*/
readonly workloadAltsConfig: pulumi.Output<outputs.container.ClusterWorkloadAltsConfig>;
/**
* Workload Identity allows Kubernetes service accounts to act as a user-managed
* [Google IAM Service Account](https://cloud.google.com/iam/docs/service-accounts#user-managed_service_accounts).
* Structure is documented below.
*/
readonly workloadIdentityConfig: pulumi.Output<outputs.container.ClusterWorkloadIdentityConfig>;
/**
* Create a Cluster resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args?: ClusterArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering Cluster resources.
*/
export interface ClusterState {
/**
* The configuration for addons supported by GKE.
* Structure is documented below.
*/
addonsConfig?: pulumi.Input<inputs.container.ClusterAddonsConfig | undefined>;
/**
* Enable NET_ADMIN for the cluster. Defaults to
* `false`. This field should only be enabled for Autopilot clusters (`enableAutopilot`
* set to `true`).
*/
allowNetAdmin?: pulumi.Input<boolean | undefined>;
/**
* Configuration for [anonymous authentication restrictions](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict-anon-access). Structure is documented below.
*/
anonymousAuthenticationConfig?: pulumi.Input<inputs.container.ClusterAnonymousAuthenticationConfig | undefined>;
/**
* Configuration for the
* [Google Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#groups-setup-gsuite) feature.
* Structure is documented below.
*/
authenticatorGroupsConfig?: pulumi.Input<inputs.container.ClusterAuthenticatorGroupsConfig | undefined>;
/**
* Per-cluster configuration of Autopilot cluster policies in GKE clusters. This field can only be configured in non Autopilot clusters. Structure is documented below.
*/
autopilotClusterPolicyConfig?: pulumi.Input<inputs.container.ClusterAutopilotClusterPolicyConfig | undefined>;
/**
* The customer
* allowlist Cloud Storage paths for the cluster. These paths are used with the
* `--autopilot-privileged-admission` flag to authorize privileged workloads in
* Autopilot clusters. See the Cluster API's
* [PrivilegedAdmissionConfig](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#privilegedadmissionconfig)
* documentation for more details.
*/
autopilotPrivilegedAdmissions?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Configuration options for the Binary
* Authorization feature. Structure is documented below.
*/
binaryAuthorization?: pulumi.Input<inputs.container.ClusterBinaryAuthorization | undefined>;
/**
* Per-cluster configuration of Node Auto-Provisioning with Cluster Autoscaler to
* automatically adjust the size of the cluster and create/delete node pools based
* on the current needs of the cluster's workload. See the
* [guide to using Node Auto-Provisioning](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning)
* for more details. Structure is documented below.
*/
clusterAutoscaling?: pulumi.Input<inputs.container.ClusterClusterAutoscaling | undefined>;
/**
* The IP address range of the Kubernetes pods
* in this cluster in CIDR notation (e.g. `10.96.0.0/14`). Leave blank to have one
* automatically chosen or specify a `/14` block in `10.0.0.0/8`. This field will
* default a new cluster to routes-based, where `ipAllocationPolicy` is not defined.
*/
clusterIpv4Cidr?: pulumi.Input<string | undefined>;
/**
* ) Configuration for
* [ClusterTelemetry](https://cloud.google.com/monitoring/kubernetes-engine/installing#controlling_the_collection_of_application_logs) feature,
* Structure is documented below.
*/
clusterTelemetry?: pulumi.Input<inputs.container.ClusterClusterTelemetry | undefined>;
/**
* Configuration for [Confidential Nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes) feature. Structure is documented below documented below.
*/
confidentialNodes?: pulumi.Input<inputs.container.ClusterConfidentialNodes | undefined>;
/**
* Configuration for all of the cluster's control plane endpoints.
* Structure is documented below.
*/
controlPlaneEndpointsConfig?: pulumi.Input<inputs.container.ClusterControlPlaneEndpointsConfig | undefined>;
/**
* Configuration for the
* [Cost Allocation](https://cloud.google.com/kubernetes-engine/docs/how-to/cost-allocations) feature.
* Structure is documented below.
*/
costManagementConfig?: pulumi.Input<inputs.container.ClusterCostManagementConfig | undefined>;
/**
* Structure is documented below.
*/
databaseEncryption?: pulumi.Input<inputs.container.ClusterDatabaseEncryption | undefined>;
/**
* The desired datapath provider for this cluster. This is set to `LEGACY_DATAPATH` by default, which uses the IPTables-based kube-proxy implementation. Set to `ADVANCED_DATAPATH` to enable Dataplane v2.
*/
datapathProvider?: pulumi.Input<string | undefined>;
/**
* The default maximum number of pods
* per node in this cluster. This doesn't work on "routes-based" clusters, clusters
* that don't have IP Aliasing enabled. See the [official documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr)
* for more information.
*/
defaultMaxPodsPerNode?: pulumi.Input<number | undefined>;
/**
* [GKE SNAT](https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_works) DefaultSnatStatus contains the desired state of whether default sNAT should be disabled on the cluster, [API doc](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#networkconfig). Structure is documented below
*/
defaultSnatStatus?: pulumi.Input<inputs.container.ClusterDefaultSnatStatus | undefined>;
/**
* (Optional) Whether Terraform will be prevented from destroying the resource. Defaults to "DELETE".
* When a 'terraform destroy' or 'pulumi up' would delete the resource,
* the command will fail if this field is set to "PREVENT" in Terraform state.
* When set to "ABANDON", the command will remove the resource from Terraform
* management without updating or deleting the resource in the API.
* When set to "DELETE", deleting the resource is allowed.
*
* <a name="nestedDefaultSnatStatus"></a>The `defaultSnatStatus` block supports
*/
deletionPolicy?: pulumi.Input<string | undefined>;
/**
* Whether Terraform will be prevented from
* destroying the cluster. Deleting this cluster via `terraform destroy` or
* `pulumi up` will only succeed if this field is `false` in the Terraform
* state.
*/
deletionProtection?: pulumi.Input<boolean | undefined>;
/**
* Description of the cluster.
*/
description?: pulumi.Input<string | undefined>;
/**
* Disable L4 load balancer VPC firewalls to enable firewall policies.
*/
disableL4LbFirewallReconciliation?: pulumi.Input<boolean | undefined>;
/**
* Configuration for [Using Cloud DNS for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns). Structure is documented below.
*/
dnsConfig?: pulumi.Input<inputs.container.ClusterDnsConfig | undefined>;
/**
* All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
*/
effectiveLabels?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
} | undefined>;
/**
* Enable Autopilot for this cluster. Defaults to `false`.
* Note that when this option is enabled, certain features of Standard GKE are not available.
* See the [official documentation](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#comparison)
* for available features.
*/
enableAutopilot?: pulumi.Input<boolean | undefined>;
/**
* Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false.
*/
enableCiliumClusterwideNetworkPolicy?: pulumi.Input<boolean | undefined>;
/**
* Whether FQDN Network Policy is enabled on this cluster. Users who enable this feature for existing Standard clusters must restart the GKE Dataplane V2 `anetd` DaemonSet after enabling it. See the [Enable FQDN Network Policy in an existing cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/fqdn-network-policies#enable_fqdn_network_policy_in_an_existing_cluster) for more information.
*/
enableFqdnNetworkPolicy?: pulumi.Input<boolean | undefined>;
/**
* Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network.
*/
enableIntranodeVisibility?: pulumi.Input<boolean | undefined>;
/**
* Configuration for Kubernetes Beta APIs.
* Structure is documented below.
*/
enableK8sBetaApis?: pulumi.Input<inputs.container.ClusterEnableK8sBetaApis | undefined>;
/**
* Whether to enable Kubernetes Alpha features for
* this cluster. Note that when this option is enabled, the cluster cannot be upgraded
* and will be automatically deleted after 30 days.
*/
enableKubernetesAlpha?: pulumi.Input<boolean | undefined>;
/**
* Whether L4ILB Subsetting is enabled for this cluster.
*/
enableL4IlbSubsetting?: pulumi.Input<boolean | undefined>;
/**
* Whether the ABAC authorizer is enabled for this cluster.
* When enabled, identities in the system, including service accounts, nodes, and controllers,
* will have statically granted permissions beyond those provided by the RBAC configuration or IAM.
* Defaults to `false`
*/
enableLegacyAbac?: pulumi.Input<boolean | undefined>;
/**
* Whether multi-networking is enabled for this cluster.
*/
enableMultiNetworking?: pulumi.Input<boolean | undefined>;
/**
* Enable Shielded Nodes features on all nodes in this cluster. Defaults to `true`.
*/
enableShieldedNodes?: pulumi.Input<boolean | undefined>;
/**
* Whether to enable Cloud TPU resources in this cluster.
* See the [official documentation](https://cloud.google.com/tpu/docs/kubernetes-engine-setup).
*/
enableTpu?: pulumi.Input<boolean | undefined>;
/**
* The IP address of this cluster's Kubernetes master.
*/
endpoint?: pulumi.Input<string | undefined>;
/**
* (DEPRECATED) Configuration for [Enterprise edition].(https://cloud.google.com/kubernetes-engine/enterprise/docs/concepts/gke-editions). Structure is documented below. Deprecated as GKE Enterprise features are now available without an Enterprise tier. See https://cloud.google.com/blog/products/containers-kubernetes/gke-gets-new-pricing-and-capabilities-on-10th-birthday for the announcement of this change.
*
* @deprecated GKE Enterprise features are now available without an Enterprise tier. This field is deprecated and will be removed in a future major release
*/
enterpriseConfig?: pulumi.Input<inputs.container.ClusterEnterpriseConfig | undefined>;
/**
* Fleet configuration for the cluster. Structure is documented below.
*/
fleet?: pulumi.Input<inputs.container.ClusterFleet | undefined>;
/**
* Configuration for [GKE Gateway API controller](https://cloud.google.com/kubernetes-engine/docs/concepts/gateway-api). Structure is documented below.
*/
gatewayApiConfig?: pulumi.Input<inputs.container.ClusterGatewayApiConfig | undefined>;
/**
* Configuration options for the auto-upgrade patch type feature, which provide more control over the speed of automatic upgrades of your GKE clusters.
* Structure is documented below.
*/
gkeAutoUpgradeConfig?: pulumi.Input<inputs.container.ClusterGkeAutoUpgradeConfig | undefined>;
/**
* . Structure is documented below.
*/
identityServiceConfig?: pulumi.Input<inputs.container.ClusterIdentityServiceConfig | undefined>;
/**
* Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`.
*/
inTransitEncryptionConfig?: pulumi.Input<string | undefined>;
/**
* The number of nodes to create in this
* cluster's default node pool. In regional or multi-zonal clusters, this is the
* number of nodes per zone. Must be set if `nodePool` is not set. If you're using
* `gcp.container.NodePool` objects with no default node pool, you'll need to
* set this to a value of at least `1`, alongside setting
* `removeDefaultNodePool` to `true`.
*/
initialNodeCount?: pulumi.Input<number | undefined>;
/**
* Configuration of cluster IP allocation for
* VPC-native clusters. If this block is unset during creation, it will be set by the GKE backend.
* Structure is documented below.
*/
ipAllocationPolicy?: pulumi.Input<inputs.container.ClusterIpAllocationPolicy | undefined>;
/**
* The fingerprint of the set of labels for this cluster.
*/
labelFingerprint?: pulumi.Input<string | undefined>;
/**
* The location (region or zone) in which the cluster
* master will be created, as well as the default node location. If you specify a
* zone (such as `us-central1-a`), the cluster will be a zonal cluster with a
* single cluster master. If you specify a region (such as `us-west1`), the
* cluster will be a regional cluster with multiple masters spread across zones in
* the region, and with default node locations in those zones as well
*/
location?: pulumi.Input<string | undefined>;
/**
* Logging configuration for the cluster.
* Structure is documented below.
*/
loggingConfig?: pulumi.Input<inputs.container.ClusterLoggingConfig | undefined>;
/**
* The logging service that the cluster should
* write logs to. Available options include `logging.googleapis.com`(Legacy Stackdriver),
* `logging.googleapis.com/kubernetes`(Stackdriver Kubernetes Engine Logging), and `none`. Defaults to `logging.googleapis.com/kubernetes`
*/
loggingService?: pulumi.Input<string | undefined>;
/**
* The maintenance policy to use for the cluster. Structure is